Issue: FFT Entity self-reported that technical problems with its physical access system caused the physical access logs for its PSPs to be corrupted and it was unable to reconstruct 5 hours of a 75-hour gap.

Finding: MRO found that this issue constituted only a minimal risk to BPS reliability since, during the relevant time when the time logging was not properly functioning, FFT Entity’s access controls continued to perform. In addition, the five-hour gap was confined to two access points.

Issue: On two occasions, FFT Entity failed to document the person responsible for escorting a visitor to the PSP as required by its visitor control program and in violation of R1.6.

Finding: The issue posed a minimal risk and did not pose a serious or substantial risk to the reliability of the BPS because the particular PSP is manned 24/7, and on each occasion the visitor had been escorted but the operator failed to document the logs.

Issue: While conducting a compliance audit, ReliabilityFirst determined that FFT Entity violated CIP-006-3c R1 because the control room containing CCAs in one of its facilities had a 12-inch gap between the top of the walls and the ceiling. CIP-006-3c R1 requires that entities maintain a six-wall border around all CCAs that are located within an ESP. FFT Entity filed a late Technical Feasibility Exception request stating that it needed the 12-inch gap to facilitate its heating, ventilation, and air conditioning systems, and that modification to the wall could affect air circulation in the facility.

Finding: The issue posed only a minimal risk to BPS reliability for three reasons. First, ReliabilityFirst approved FFT Entity’s proposal to mitigate the risk by installing motion sensors to monitor the 12 inch gap between the wall and the ceiling. Second, the entire facility is protected by security fencing and a guarded single-access gate. Third, both the building and the main control center inside the building can only be accessed by entrances equipped with card-readers, monitors and alarms. All these protections were installed for the duration of the issue.

Issue: FFT Entity self-reported that its access control system’s file backup process corrupted approximately 75 hours of stored physical access log data. While FFT Entity was able to reconstruct 70 hours of the corrupted data, it was not able to recover the other 5 hours. Therefore, FFT Entity did not keep all of its physical access logs for at least 90 days as required.

Finding: RFC found that this issue constituted only a minimal risk to the BPS since FFT Entity’s access control system operated continuously at all of the PSP access points and the five hours missing from the physical access logs only involved two PSP access points. In addition, there is no evidence that there was a cyber attack on FFT Entity’s access control system or any unauthorized physical access attempts into the PSP.

Issue: URE self-reported that it allowed access to a designated PSP on one occasion to a visitor, but it did not log the time of departure or the name of the escort. URE reported the event even though the logs were outside the 90-day log retention period required by the CIP Standards. Also, URE submitted evidence of the departure time and escort name. The visitor was at all times escorted while he was in the PSP.

Finding: FRCC found the violation constituted a minimal risk to BPS reliability because it was an isolated event and documentation related. Further, the visitor was escorted continuously during the time he was in the PSP.

Issue: URE notified WECC through a self-certification that it had allowed three individuals access to a PSP, housing two CCAs, without providing an escort for a period of approximately three minutes.

Finding: The issue was deemed by WECC to pose minimal risk to BPS reliability because the individuals did not have electronic access to the PSP, and the PSP has 24/7 monitoring and all access doors are alarmed in the event of forced entry.

Issue: URE filed a self-report disclosing that one of its employees accessed a cabinet housing a CCA related to URE’s management system in order to use the CCA, but did not properly return the PSP to being actively monitored upon completing the work to the CCA. The cabinet is classified as a PSP and requires a hard key to unlock it as well as card swiping upon access, which serves to turn off the monitoring function at the security center. Internal procedures call for the access card to be swiped again upon leaving the area in order to reactivate the PSP monitoring system. For this instance, the employee did not reactivate the PSP upon finishing his work with the CCA. The access system did not monitor the PSP until a security employee found that the cabinet was not being monitored and took appropriate steps to rectify the problem.

Finding: The issue was deemed by WECC to pose minimal risk to BPS reliability because the cabinet containing the CCA had been locked by key, and the relevant PSP is housed in a room that is staffed 24/7 and has electronic controls for the subject CCA. In the event of a security breach, operating personnel would have been alerted by other measures.

Issue: URE submitted a self-report after discovering four individuals (three contractors and one employee), were not continuously escorted while inside a Physical Security Perimeter (PSP) for approximately 30 minutes on a single day (in violation of R1.6). While URE did have a visitor control program and a log to document the entry and exit of visitors, per the standard, the employee who escorted the three contractors did not have authorized unescorted access to the PSP in question. RFC determined the issue with R1 did not substantiate an issue with CIP-004-3, which sets forth personnel and training requirements for individuals with access to Critical Cyber Assets (CCAs). The issue in question only involved Cyber Assets, not CCAs.

Finding: RFC determined this issue posed a minimal risk to the reliability BPS which was mitigated by the fact that the PSP in question was in the process of being decommissioned and did not enclose an ESP or any active Cyber Assets. The PSP contained Cyber Assets that had been removed from an ESP and were awaiting the disposal process. Furthermore, the employee completed CIP training and URE performed a personnel risk assessment prior to the employee escorting the three contractors within the PSP. The assessment revealed no issues that would preclude URE from granting the employee access to the PSP in question, and the employee qualified for authorized access to the PSP, in addition to being granted unescorted physical access to other nearby PSPs. Moreover, URE has a physical security plan and visitor control program that requires escorted access of visitors; this was deemed an isolated incident in which the employee and supervisor mistakenly believed the employee was authorized to serve as an escort in the PSP in question. URE conducted training, prior to and through the duration of the issue, on appropriate visitor control to ensure compliance with R1.6.

Issue: URE self-reported that, due to a misinterpretation of the Reliability Standard, it was not properly logging the physical entry of visitors into the PSPs (as visitors were only required to initially log in and log out at the end of the work day, not every time they exited and re-entered the PSP).

Finding: NPCC found that the issue constituted only a minimal risk to BPS reliability. The visitors were always being escorted while they were in the PSPs, and they were only in the field control houses (which are staffed by URE personnel).

Issue: URE self-certified that, as a result of a communication failure of physical access control panels at its backup control center, in one instance, which lasted for 4 hours and 22 minutes, physical access to the PSP was not being monitored. During that time, the alarm at the backup control center PSP was disabled.

Finding: WECC found that the issue constituted only a minimal risk to BPS reliability since the issue involved one PSP and lasted for under five hours. During that time, the backup control center was not in operation and access to the PSP was controlled (and logged) through a card reader. There were also no unauthorized access attempts.

Issue: FFT Entity self-certified that one of its employees gained unauthorized access to one of FFT Entity's PSPs as a result of walking through a door opened by an employee who did have authorized access to the PSP. Based on an alarm and instructions from the security guard, the employee left the PSP after only one minute and did not access any CCAs.

Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since FFT Entity's security guards were contacted immediately after the unauthorized entry, and the relevant employee left the PSP promptly and did not access any CCAs. FFT Entity was continuously monitoring the PSPs and the PSP access point, including setting up alarms to warn of instances of unauthorized access. These protective measures proved successful in addressing the employee's unauthorized access to the PSP.

Issue: FFT Entity self-reported, as a BA, GOP, LSE, TOP, TO and TSP, that it did not file Technical Feasibility Exceptions (TFEs) relating to the installation of anti-virus software on two of its CCAs that serve to authorize and log physical access to a PSP.

Finding: WECC found that the issue only constituted a minimal risk to BPS reliability since the two CCAs were protected by a myriad of other measures. For example, both devices are contained within an ESP and PSP, with electronic access to the ESP being logged and monitored and alarms being set up to warn of unauthorized access to the PSP. Access to the PSPs and ESPs was limited and controlled.

Issue: During a compliance audit, SPP discovered three instances (involving one employee and two outside visitors) where FFT Entity did not properly log the escorted physical access of visitors to FFT Entity's control room PSP, contrary to FFT Entity's Physical Security Plan. FFT Entity did not record the exit times of the visitors, as required in the Physical Security Plan, and in one instance, did not list the name of the visitor's escort.

Finding: SPP found that the issue only constituted a minimal risk to BPS reliability since the three visitors went through multiple layers of security (such as checking in with FFT Entity security, receiving visitor badges and being provided with escorted access) in order to obtain access to the PSP. In addition, FFT Entity's control room is continuously staffed and monitored.

Issue: URE self-reported that an unescorted employee-in-training was in the PSP without authorized unescorted access to CCAs (in noncompliance with R1.6.2). The access door's lock was not working correctly, and the employee was removing garbage for seven minutes.

Finding: NPCC found the issue posed a minimal risk to the reliability of the BPS since URE's security received an alarm for "invalid access group" signaling a denial of access from the reader at the control room door for an attempt by an unauthorized employee, as well as a "forced door" alarm. URE's investigation into the matter determined that the access door's locking mechanism was no longer working, during which the time the PSP was continuously staffed by a number of employees with authorized access. In addition, the unauthorized employee that entered the PSP had completed the preconditions to receive authorized for access, although was not formerly approved. Also, the employee had completed a valid personnel risk assessment and had taken the mandatory CIP training course.

Issue: URE self-reported a violation of R5 of CIP-006-3c to MRO, stating that it failed to monitor a physical access point of a designated Physical Security Perimeter (PSP). Due to URE's air conditioning unit malfunctioning in its PSP, the resulting rising temperature within the room had potential to damage the communication equipment that connects and monitors field equipment to the primary control center. In order to alleviate the temperature, URE opened Doors 4 and 5, for about one hour and 14 hours, respectively. Door 4 opens to a hallway and Door 5 opens to the Communications Department work area where there is another door that opens to the same hallway as Door 4. Door 5 and the door inside the work area are the only doors that give access to the Communications Department work area. While these two doors were open, the operator monitored Door 4 for any unauthorized suspects to the PSP, and the Communications Department work area was locked down via the door in the work area.

Finding: MRO found that the issue posed a minimal risk to the reliability of the bulk power system for the following reasons: (1) the incident, taking place on a Sunday afternoon through Monday morning, happened while there was little activity in the building; (2) while Door 4 was open, only one person without authorized unescorted physical access was in the building; (3) the operator monitored Door 4 during the whole time Door 4 was opened; (4) the operator was able to hear if someone occupied the adjacent rooms due to raised flooring; (5) while Door 5 was open, the door inside the work area was locked and is only opened when the room has personnel to monitor the room. Because there was limited activity in the building and the URE was able to control PSP access for most of the time, MRO saw the issue as a minimal risk to the BPS.

Issue: URE self-reported a violation of R6 of CIP-006-3c to RFC. The violation involved an employee working in the control room without authorization for unescorted physical access to the control room. Another employee with authorized unescorted physical access escorted the employee but did not record the fact that the employee worked in the control room without authorization.

Finding: RFC found that the issue posed a minimal risk to the reliability of the bulk power system, because URE's internal system was in place to quickly locate and fix the violation. Additionally, the violation was a documentation issue, as an authorized employee did escort the unauthorized employee. Finally, RFC determined that the unauthorized employee was probably not a threat to URE's system since the employee works at the URE and was scheduled to work in the control room on the date of the incident.

Issue: URE1 self-reported a compliance issue to WECC stating that its risk-based assessment methodology (RBAM) had been revised, and based on that revision, three facilities were to be removed from its CA list. But, before the updated CA list was approved and final, URE1 employees transferred certain Physical Access Control System (PACS) devices that controlled access and logged information for the three facilities from the PACS virtual local area networks (VLAN) to the corporate security VLAN. By doing so, not all CIP security was available to the PACS devices during the time period the facilities' removal was awaiting approval.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. WECC found the risks to be limited based on the scope of the issue and other compensating measures afforded by URE1. In addition, URE1's corporate VLAN is an isolated access network and access is controlled and monitored. Any individual accessing the corporate security VLAN had received CIP training and had valid PRAs on file. Physical access to the PACS devices was also controlled and monitored, and the PACS devices were located inside a PSP. All access to the PSPs housing the PACS devices was logged during the relevant time period, which was four days.

Issue: URE3 self-reported to RFC that during the annual preventative maintenance on its security system it found several holes or gaps that required repair.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because URE3 has other layers of security protecting its PSP.

Issue: URE3 submitted to the three Regional Entities a self-report explaining compliance issues with CIP-006-3c. (1) An IT employee went into a PSP without having the required authorization. As an operations employee with authorized unescorted physical access left the PSP, the IT employee grabbed the handle to the door before it completely closed. The IT employee eventually asked for assistance and was then escorted to the electronic logging system and allowed entry to the PSP as a visitor. (2) Staff from URE3 was attending a meeting with a URE3 engineer and the engineer left the meeting room to go to the printer leaving the staff unescorted during his absence. (3) A security guard escorted a repairman into URE3's control center kitchen but then left the individual unescorted while he worked on a vending machine. (4) After receiving an alarm indicating a door to a SCADA computer room had been forced open, URE's operations center employees found that a URE3 electrician had mistakenly entered the computer room thereby setting off the alarm, but he was unable to exit. A follow up investigation determined the door was not properly closing and locking. Further review discovered that the electrician's access to the area had been revoked while he was on a leave of absence, although he did maintain authorized unescorted physical access to other areas. (5) A URE wireman had visitors to a substation in order to pull new cables into the substation. It was determined that the wireman did not continuously escort the visitors while the work was ongoing.

Finding: The issues were deemed to pose minimal risk to BPS reliability and not serious or substantial risk. Regarding (1) above, the individual was logged and escorted once the issue was quickly discovered, and the IT employee was nowhere close to CCAs without an appropriate escort. Also, authorized personnel were nearby. Regarding (2), the meeting room where the individuals were left unescorted has no CCAs, and between the meeting room and URE3's CCA there are several levels of security access control devices. The engineer stated no one left the room during the relevant time period. Regarding (3), the kitchen where the vending machine repairman was left unescorted has no CCAs and six operators were on duty nearby during the time period. Those individuals reported the repairman did not leave the area. Regarding (4), the electrician had a valid PRA on file and had received cyber-security training. Prior to his leave of absence, he had authorized unescorted physical access to the computer room. All CCAs are protected by usernames and passwords, and the ESP is protected by an access control list. No contractors have usernames or passwords to access CCAs.

Issue: URE3 self-reported to RFC an issue with CIP-006-3c. In particular, a station crew was installing new control cables and had permission to leave the CIP station control building door propped open during the installation; however, the crew left the area unattended for approximately 20 minutes to look for materials in the station yard. URE3 did not monitor the physical access points during the time period.

Finding: The issue was deemed to pose minimal risk to BPS reliability and not serious or substantial risk. The risk to BPS operations was mitigated because the station manager recognized the violation and immediately reported it to the security department. There were no unauthorized personnel in the control house when the station superintendent returned to the building. Access to CCA devices is protected through security measures. And, the contractors were working outside the control house, and a supervisor was onsite during the relevant time period.

Issue: RFC_URE2 self-reported an issue with CIP-004-3 R3 to RFC, and RFC determined that in fact RFC_URE2 had an issue with CIP-006-3c R2.2 rather than the self-reported standard, because the entity had erroneously authorized an individual to have cyber access to the Physical Access Control System servers, which are Cyber Assets that authorize and/or log access to the Physical Security Perimeter. Rather than authorizing a particular employee with such access, authorization was granted to the supervisor that approved the access request. The error was corrected the day after it was discovered through a routine, periodic user access review.

Finding: RFC found that the issue posed a minimal risk to the reliability of the BPS because the supervisor who was given access in error is a long-time employee of RFC_URE2, and because the entity requires distinct access grants for its operating system, database and application for its assets. Even an individual with operating system level access does not have change/view privilege. Finally, the entity confirmed that the supervisor had neither attempted nor successfully logged onto the servers during the period at issue.

Finding: Texas RE found that this issue posed a minimal, but not a serious or substantial, risk to BPS reliability. There was no evidence of a cyber attack or physical intrusion associated with the missing logs. Further, access badges provided security to the Critical Cyber Assets during this time.

Issue: RFC_URE4 self-reported an issue with CIP-006-3c R1.4 to RFC, when it found that upon the direction of his/her supervisor, an employee had entered a physical security perimeter without authorization with a key that was intended for emergency use only. The employee had been asked to switch a line into service in anticipation of the arrival of a major weather event. This unauthorized access triggered an alarm which was subsequently investigated by security personnel, who required the employee to leave the PSP.

Finding: RFC found that the issue posed a minimal risk to the reliability of the BPS because the employee at issue was a long-time employee of the entity’s parent company who had a valid personnel risk assessment (PRA) at the time of the issue. Furthermore, the entity’s security personnel properly detected the unauthorized entry and removed the employee from the PSP within 15 minutes of entry. Finally, an anticipated major weather event was the precipitating factor for the events that lead to the issue.

Issue: SPP_URE4 self-reported that it did not maintain continuous escorted access to its Physical Security Perimeter (PSP) for two visitors, maintenance personnel, who entered without an escort. The visitors were in the secured area for nine minutes to change heating, ventilation, and air conditioning system filters.

Finding: SPP RE found that the issue posed a minimal, but not a serious or substantial, risk to BPS reliability. The room did not contain any Critical Cyber Assets (CCAs) and was separated by controlled access from the control center. An alarm would have gone off if the visitors tried to enter the control center, which is monitored by operators round the clock. The visitors did not try to enter the control center.